The bug is quite obvious. It initializes sk to tun->sk and THEN it checks if tun is NULL :P Of course, this should be done first since the compiler will optimize it and completely remove the if(!tun) check since it is performed after the assignment. Because of this, the above vulnerability can result in a nice exploitable NULL pointer dereference. This was fixed by updating the code like that: